๐
Effective from: June 4, 2026
Short summary: We collect only what we need to teach you, never sell your data, encrypt everything in transit, and let you delete your account and all data with one click from your dashboard. If you are under 18, a parent must consent on your behalf (India DPDP Act 2023, COPPA, and GDPR-K). Questions? Email
support@msctutor.in.
1. Who we are (Data Fiduciary)
MscTutor (โweโ, โusโ, โthe Serviceโ) operates msctutor.in. We are the Data Fiduciary for personal data collected on this platform under Indiaโs Digital Personal Data Protection Act 2023 (DPDP), and the Data Controller under the EU GDPR. All correspondence about your data: support@msctutor.in.
2. What we collect
- Account data: name, email, phone (optional), class, board, language preference.
- Authentication data: Firebase UID and authentication metadata (we never see or store passwords).
- Learning data: questions you ask, answers shown, XP, streaks, saved bookmarks, AI Teacher chat transcripts.
- School data (if youโre part of a school account): attendance, homework submissions, exam results, class assignments.
- Usage telemetry: pages visited, AI calls, OCR pages, voice/avatar minutes, IP address (for rate limiting and abuse detection).
- Payment data: handled by Razorpay โ we receive only the order ID, plan name, amount, and capture status. We never see your card or UPI credentials.
- Cookies & local storage: session token, dark-mode preference, saved-questions cache. No third-party ad tracking.
3. Why we collect it (lawful basis)
Each category of data has a specific purpose:
- Contract performance โ delivering AI answers, AI Teacher chat, mock tests, voice/avatar features you signed up for.
- Consent โ push notifications, marketing emails (you can opt out anytime).
- Legitimate interest โ fraud prevention, rate limiting, security logging.
- Legal obligation โ tax invoices, response to lawful government requests.
4. Children and minors (DPDP ยง9, COPPA, GDPR-K)
Indiaโs DPDP Act treats every user under 18 as a child. COPPA (US) and GDPR-K (EU) set the age at 13 and 16 respectively. We apply the strictest standard:
- Users under 18 must have a parent or guardian accept these terms.
- We never serve behavioural advertising or run profiling on minors.
- School accounts: the school administrator certifies they have collected appropriate parental consent before adding any student record.
- A parent or guardian may at any time email support@msctutor.in to review, correct, or permanently delete their childโs data.
5. Your rights
Under DPDP / GDPR / COPPA you have the right to:
- Access โ get a copy of your data. Use Dashboard โ Settings โ Export My Data.
- Correct โ edit your profile from Dashboard โ Settings.
- Erase โ Dashboard โ Settings โ Delete My Account triggers permanent deletion within 30 days (some billing records are retained 8 years per GST Act).
- Withdraw consent โ at any time, with no effect on lawful processing already done.
- Portability โ export your data in machine-readable JSON.
- Object โ opt out of marketing emails via the unsubscribe link in every email.
- Grievance โ write to our Grievance Officer at support@msctutor.in. We acknowledge within 7 days and resolve within 30 days.
- Lodge a complaint with the Data Protection Board of India once it is operational, or with your local supervisory authority (EU residents).
6. Third-party processors
We share necessary data with the following processors. Each is bound by a Data Processing Agreement:
- Google Firebase (US) โ authentication and push notifications.
- Razorpay (India) โ payment processing. Razorpayโs privacy policy: razorpay.com/privacy.
- DeepSeek AI / Hugging Face โ question text is sent to AI for answer generation. Prompt content is not stored beyond the API call.
- Cloudflare R2 โ file storage (profile photos, OCR uploads).
- Upstash Redis โ session, rate limit, and usage counters.
- Vercel โ hosting and CDN.
We never sell or rent your personal data.
7. International transfers
Some processors operate outside India (Firebase in the US, Vercel in the US/EU). Such transfers happen under Standard Contractual Clauses or equivalent safeguards required by DPDP ยง16 and GDPR Chapter V.
8. Retention
- Active accounts: data is kept while your account is open.
- Deleted accounts: personal data is purged within 30 days; pseudonymised learning analytics may be kept up to 90 days for service improvement.
- Billing records: 8 years (Indian GST + Income Tax compliance).
- Server access logs: 30 days (security investigations only).
- Backups: rotated out within 35 days.
9. Security
- TLS 1.3 in transit, AES-256 at rest for files.
- Firebase Authentication (no password ever stored by us).
- HMAC-SHA256 verification on every Razorpay webhook and top-up.
- Role-based access control (RBAC) for admin/teacher/school routes.
- Rate limiting and prompt-injection guards on every AI endpoint.
In case of a personal-data breach we will notify affected users and the Data Protection Board within 72 hours, as required by DPDP ยง8(6) and GDPR ยง33.
10. Cookies
We use first-party cookies only:
- msc_auth_token โ your session, required to log in.
- theme / lang preferences โ improve your experience, no tracking.
- analytics counter โ privacy-safe, aggregated only, no individual profiling.
You may decline non-essential cookies via the banner on first visit, or clear them via your browser settings at any time.
11. AI and generated content
Our AI Teacher and Ask AI features send your question text to third-party LLM APIs (DeepSeek, Hugging Face). Question text becomes part of our retrieval database for educational benefit of other students but is never associated with your name, email, or school in any public display.
12. Changes to this policy
We will email registered users at least 14 days before a material change to this policy. Continued use after the effective date constitutes acceptance.
13. Grievance Officer
Name: MscTutor Grievance Officer
Email: support@msctutor.in
Response SLA: acknowledge within 7 days, resolve within 30 days